We’re drowning in data these days. And the data deluge is not going to stop anytime soon.
Our thirst for more competitive insights is seeing us hoarding more data stores and sources. And with the Internet of Things (IoT) devices and artificial intelligence (AI) models creating additional data, data management will remain a major flashpoint for the foreseeable future.
So will data resilience, which companies often overlook by focusing on cyber security only. As companies create, store and share more data across various stores, the risk of data crimes or corruption only gets higher.
In the past three years, this risk has soared. As companies digitalised in a hurry to operate in a COVID-19 world and stitch together a SaaS ecosystem to support a remote workforce, they further exposed their data to hackers and human errors. While many newspaper headlines feature large companies or organisations, we often don’t get to see the vast number of smaller companies and individuals who suffered similar catastrophes.
Ransomware opens a new frontline in the data security wars. It is no longer about disruption or stealing credentials for sale on the dark web. Now all kinds of hackers were using openly available kits to encrypt data within systems and asking for a ransom to decrypt it. It creates a direct revenue line for criminals, lucrative enough for cybercrime syndicates and huge hacker teams to jump in.
They also started to go after softer targets, industries like healthcare and utilities, that are less hardened than the financial services industry. And some ransomware hackers were not even bothering to encrypt. They unleashed wiperware instead and deleted large chunks of data to cause mayhem and harm.
“As we get more digital and connected, we produce more data, particularly unstructured data. Indirectly, we are increasing the attack surface,” said Florian Malecki, executive vice president for marketing at Arcserve.
Measure the recovery gap
In his conversations with IT decision-makers, Malecki also uncovered a sobering truth: while many companies have data resilience strategies, they’re unbalanced — focusing more on IT security solutions.
“Many IT leaders have mainly invested in next-generation IT Security products, but a lot of organisations are not necessarily up to the mark with their backup and recovery capabilities.”
Florian Malecki
That’s a big challenge when dealing with ransomware that is incredibly asymmetric. Most attacks are carried out quickly from inception, thanks to ransomware-as-a-service and tool kits on the tor-based dark web. Yet, it takes a humungous amount of effort to recover from one.
“To recover your data, you need to understand where your backup data is actually stored and how it is protected,” said Malecki.
He stressed his point by citing an example of an Italian city that was hit by ransomware earlier this year. As a result, some of its backups were corrupted. The city’s Veeam server was unavailable, as was its VMware infrastructure. The city relied on its Arcserve tape recovery solution and the remaining accessible data from its Oracle database and NetApp storage in its initial recovery efforts.
Even if you have the backup data ready to restore, it may not be good enough. “Do you test your recovery capabilities? Do you leverage immutable storage to secure the data that you really need?” questioned Malecki.
Ransomware attackers going after backup data only serves to compound the problem. Many use a dual strategy to encrypt the backup data first; some simply use wiperware to blow these into bits. It makes sense from the attacker’s point of view as it offers an “insurance” policy so that the company has no choice but to deal with the ransomer for the decryption key.
Lastly, ransomware attackers are not sitting still. They’re constantly switching up their attack plans. Some breach into networks, park their malware within and lie dormant for days, weeks, or even months without encrypting any data. Anti-malware tools won’t often trigger, and it takes a single lapse for them to pounce.
Add another “1”
Data protection teams are not helpless. Most subscribe to the time-tested 3-2-1 strategy where you create one primary backup and two other copies of your data (the “3”). Then you save it on two media types (“2”) and then keep one backup file offsite (“1”).
Differentiate with immutability
Malecki strongly recommends adding immutable storage to the strategy, becoming 3-2-1-1.
Immutable storage borrows a concept many are familiar with when working with blockchains. Essentially, immutable storage device houses backup data that cannot be changed by any means using the write-once-read-many (WORM) method but can’t modify it after that.
Malecki sees immutable storage as the “last line of defence” for recovering data and backups after a successful ransomware attack. He also noted a rising popularity among data protection experts. Today you can also use immutable storage on-premises or in the cloud. “So, again, depending on the nature of the business and the strategy, the good news is organisations have a choice,” said Malecki.
The importance of air-gapped backup immutability does not always mean immunity. While attackers can’t modify files stored on an immutable storage solution, it does not mean you are 100% protected from data theft.
This is why Malecki feels it is critical to also implement an air-gapped copy of the backup data that is separated from the company’s network and secured offline. This is where tape backup technology can be leveraged.
“Essentially, you’re making it hard for ransomware attackers to wipe backup data as you have copies that are not connected to the corporate system. The only way is if they have an insider or someone social-engineered to corrupt or delete it physically.”
Florian Malecki
Re-balance calculation
Ransomwares are constantly probing current defences to learn and adapt. Eventually, one such attack will inevitably get through, despite the implementation of IT security solutions. “So, it's really about ensuring that you treat all parts of your data resilience strategy at the same level, from cybersecurity, orchestrated recovery to processes. That way, when an attack does get through, you are fully prepared and ready to recover quickly,” concluded Malecki.